Report: 86% Of All Vulnerabilities Found In Third-Party Programs; SCADA At Particular Risk

Go ahead, patch those Microsoft products all you want. It won't necessarily make you impervious to attack, according to a new report.

A vulnerability review, issued last week by the vulnerability management company Secunia, found that 86 percent of vulnerabilities discovered in the most popular 50 programs in 2012 were in non-Microsoft (or “third-party”) programs, up 8 percent from their report last year. Over a five year period, the share of third-party vulnerabilities increased from 57 percent in 2007 to 86 percent in 2012.

Morten R. Stengaard, Secunia’s Director of Product Management, told Security Bistro that for users, there is a noticeable disconnect. In his estimation, while Microsoft does what he said was a good job of marketing their security fixes, users don't always know that their third-party applications require timely patching. If they do, he said, it might be a question of means.

"[Users] many times don't have the resources and tools in place to do so. Since managing software patches for third party products can be confusing and time consuming, as the third party vendors do not use a consistent tool to notify consumers about patches, they never get around to it," Stengaard said.

The remaining 14 percent of vulnerabilities were found in Microsoft programs and Windows operating systems – a much lower share compared to 2011, indicating that Microsoft continues to focus on security in their products, according to the findings.

The review found that the patches are becoming both more available and arriving on the scene faster. Eighty-four percent of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organizations. In 2011, the number was 72 percent.

Even as issues with third-party applications appear to be growing year-to-year, Stengaard told Security Bistro that he retains some "cautious" optimism that this trend might have reached its zenith.

"The good news is that it is probably as bad as it can get, and therefore it can only get better," he said.

That caution, however, comes from the fact that a majority of SMBs, in Stengaard's estimation, do not currently patch their third-party applications. A problem when 86 percent of all vulnerabilities exist within this category.

The report also presented vulnerabilities in a number of areas, from browsers to vendors, but a sector that is often seen as increasingly vulnerable, might remain that way for the foreseeable future.

SCADA (Supervisory Control And Data Acquisition) security -- which governs the computer controlled systems that monitor and control industrial, infrastructure, and facility-based processes -- received some not-so positive news.

The report found that many industrial control system vulnerabilities remain unpatched for longer than one month in SCADA software. As for general SCADA vulnerability readiness, the report found that SCADA software today is at the stage mainstream software was 10 years ago: security updates are erratic (there is great variation in how they are handled), compared to what many accustomed to in mainstream programs.

Solutions?

So if, as Stengaard surmises, most SMBs opt not to patch their third-party applications, what can be done to stem the tide? Stengaard offers a pragmatic approach.

"The first thing is of course to acknowledge that this is an important problem that need to be solved to stay secure, and that relying on an antivirus solution and a firewall is simply not enough to keep cybercriminals away," he said. "Secondly, [Enterprises] need to implement a patch management solution that is easy to use, and can help them manage patches efficiently, without having to invest significant resources in this. The latter is important, since we see that the more resources are needed to get the job done, the higher the likelihood that third-party patches are neglected."

The Secunia Vulnerability Review analyzed the evolution of software security from a global, industry, enterprise and endpoint perspective, presenting data on vulnerabilities and exploits and the availability of patches. It then correlates this information with the market share of programs to evaluate the true threats.